From: Jim Choate <ravage@ssz.com>
Date: Mon, 27 Oct 1997 10:38:49 +0800
To: cypherpunks@ssz.com (Cypherpunks Distributed Remailer)
Subject: Re: Orthogonality and Disaster Recovery (fwd)
Message-ID: <199710270228.UAA02091@einstein.ssz.com>
MIME-Version: 1.0
Content-Type: text



Forwarded message:

> Date: Sun, 26 Oct 1997 18:03:16 -0800
> From: David Sternlight <david@sternlight.com>
> Subject: Re: Orthogonality and Disaster Recovery

> > Do all E-Mail vendors need to be cryptologist?? 
> 
> If the client's e-mail is to be secure, yes. But let's be accurate here.

I absolute agree we need to be accurate. To that end, it is not the
applications that need security but rather the network and session layers.

> > Do all cryptologist need
> > to be application vendors?? Obviously not.
> 
> Now that IS nonsensical because cryptology is a wide and deep art only a small
> part of which has to do with mail applications themselves. In contrast, mail
> applications to be secure must use encryption. There's some very muddy
> thinking going on in your post.

He said 'application vendors', not just mail. Pay attention to the details
of the argument and quit trying to change the subject without specificaly
noteing the change, otherwise known as a strawman. His muddy thinking
doesn't stand alone.

> > PGP is a tool much like a
> > database is. The majority of vendors who develop apps that require a
> > database do not go out and write their own, rather they use a database
> > engine that is suited to their needs. 
> 
> Except for the occasional password protection, databases don't need encryption
> to the extent e-mail does.

I work everyday with the NSA, CIA, Dod, Army, SAIC, all the phone companies,
many of the major banks, Intel, Human Genome Project, etc. Every one of these
folks would disagree with you. In fact it was one of the motivating factors
behind Tivoli comming out with their new Security Management application
because vendors required us to move away from our custom databases and
toward industry standards (Oracle, Sybase, Informix, DB2, DBMX, etc.) *AND*
at the same time requiring a better security mechanism than the existing one
we use (DES & Kerberos based).

The reality of the market does not support your thesis.

> You miss the point here. And you miss the many worked examples. RSA is selling
> lots and lots of toolkits for lots and lots of money for in-line integration
> into applications, not for pre- and post-processing. The former is the way to
> go; the latter a kludge until something better comes along.

Are they involved with the new Cryptographic Standard projects of the
government and Tivoli - IBM? I don't think so, at least I still haven't seen
them involved in any of the work I have had access to so far; much to my own
personal disappointment.


    ____________________________________________________________________
   |                                                                    |
   |    The financial policy of the welfare state requires that there   |
   |    be no way for the owners of wealth to protect themselves.       |
   |                                                                    |
   |                                       -Alan Greenspan-             |
   |                                                                    | 
   |            _____                             The Armadillo Group   |
   |         ,::////;::-.                           Austin, Tx. USA     |
   |        /:'///// ``::>/|/                     http://www.ssz.com/   |
   |      .',  ||||    `/( e\                                           |
   |  -====~~mm-'`-```-mm --'-                         Jim Choate       |
   |                                                 ravage@ssz.com     |
   |                                                  512-451-7087      |
   |____________________________________________________________________|